The ransomware group known as TEAM XXX has allegedly targeted Scania, a major Swedish commercial vehicle manufacturer and a key part of the Volkswagen Group. Following the attack, the group began leaking files purportedly stolen from Scania’s insurance subdomain, claiming the company had denied the breach and refused to engage.
Scania, a global leader in transport solutions including trucks, buses, and industrial engines, is headquartered in Södertalje, Sweden. The incident highlights the growing trend of “double extortion” ransomware attacks, where cybercriminals not only encrypt a victim’s data but also exfiltrate it, threatening to publish the sensitive information online to pressure the company into paying the ransom. The ransomware group claimed on its leak site that it targeted a major vulnerability on the “insurance.scania.com” portal and decided to publish the data after the company “completely denied” that its systems were compromised.
The attackers’ post warned that “Important documents containing keys for the switches of those who have Clearance their vehicles were found in the files.” An initial review of the directory of leaked files suggests a wide range of potentially sensitive corporate and client information has been exposed. The titles of the leaked files include:
- Dept G Corp Council files (.xls)
- Factura (invoice) documents (.pdf)
- Recovery payment documents (.pdf)
- Transordizia RP files (.pdf)
- Engine Specification documents (.doc)
- CMR documents (.pdf)
